Hi again @dhrupal.patel
I can see that you are experiencing similar issues posted in your previous topic regarding the skip behavior of the WebAuth enrollment. In order to address the more specific issues you have posted here:
You are reporting that when WebAuthn platform authenticator enrollment is triggered programmatically via api.authentication.enrollWith({ type: 'webauthn-platform' }) in a Post-Login Action, neither snoozeEnrollment() nor refuseEnrollmentOnThisDevice() from the Advanced Customizations for Universal Login (ACUL) SDK can complete the login transaction. Both methods result in transaction failure and the user being unable to log in, and the only workaround is calling reportBrowserError() with a synthetic WebAuthn error to signal a browser-side failure.
Root Cause: Auth0 does not officially support optional MFA enrollment with skip or snooze functionality when enrollment is triggered via api.authentication.enrollWith() in a Post-Login Action. When enrollWith() is called, it creates a mandatory enrollment transaction that Auth0 expects to be completed before the authentication flow can proceed. The ACUL SDK methods snoozeEnrollment() and refuseEnrollmentOnThisDevice() are designed to work only within Auth0's native progressive enrollment flow (where enrollment is policy-driven), not with action-triggered enrollment. These methods do not satisfy the transaction completion requirement imposed by enrollWith(), leaving the transaction in a failed state.
The reportBrowserError() workaround succeeds because it signals a WebAuthn API failure at the browser level, which Auth0 interprets as a legitimate technical reason to bypass the enrollment requirement and allow the transaction to complete. This is not an intended use of the method and should not be relied upon as a permanent solution.
Official Limitation: According to Auth0 support documentation, skipping MFA enrollment is not supported when MFA is enabled. The platform requires that when an enrollment is triggered, it must be completed before authentication can proceed. There is no tenant-side configuration, Login Flow Action, or MFA enrollment policy setting that can change this behavior when using enrollWith().
Recommended Alternatives:
- Use
enrollWithAny() instead of enrollWith() — This method allows users to skip enrollment if they already have at least one other MFA factor enrolled. If the user has no other factors, they are still required to enroll in one of the available options, but they can choose which factor to use.
Example:
exports.onExecutePostLogin = async (event, api) => {
if (event.user.enrolledFactors.length === 0) {
api.authentication.enrollWithAny({
factors: ['webauthn-platform', 'otp']
});
}
};
- Use conditional logic to avoid triggering enrollment for specific users — Instead of calling
enrollWith() for all users, check user metadata, group membership, or other conditions to determine whether enrollment should be prompted at all.
Example:
exports.onExecutePostLogin = async (event, api) => {
if (event.user.app_metadata.requiresWebAuthnEnrollment) {
api.authentication.enrollWith({
type: 'webauthn-platform'
});
}
};
- Prompt users for enrollment outside the authentication flow — Implement enrollment as an optional, post-login user preference in your application rather than as a mandatory step during authentication. This allows users to enroll at their own pace without blocking login.
- Use
tryAnotherMethod() from the ACUL SDK — If you are using a custom enrollment screen, the tryAnotherMethod() method allows users to switch to a different MFA factor, but this does not allow them to skip enrollment entirely.
What the documentation does not clarify: The ACUL SDK documentation for snoozeEnrollment() and refuseEnrollmentOnThisDevice() does not explicitly state that these methods only work with policy-driven progressive enrollment and will fail when enrollment is triggered via api.authentication.enrollWith() in a Post-Login Action. This distinction should be documented to prevent developers from attempting to use these methods in action-triggered scenarios where they are not supported.
Submitting feedback: If optional enrollment with skip/snooze functionality is required for your use case, Auth0 recommends submitting a feature request using the Auth0 Product Feedback page.
You might want to dig into these resources:
We hope this clarifies the limitation and provides a path forward for your implementation.
Kind Regards,
Nik